Distribute-list
分布列表通过调用ACL来对路由进行过滤,可以在一个单独的路由区域内过滤,也可在路由协议之间做重分布的时候进行过滤。
注意:分布列表只能用于距离矢量协议,在链路状态协议中是没有意义的。
案例1:过滤特定路由
R2(S1/1)------(S1/0)R1(S1/1)------(s1/0)R3
以上拓扑中,在R2上起用两个环回口,一个是172.16.1.1,一个是172.16.2.1,要使R3上不可以收到172.16.1.0的路由
全网运行EIGRP后,看一看R3的路由表:
R3#sh ip ro ei
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2809856] via 13.1.1.1, 00:00:24, Serial1/0
172.16.0.0/24 is subnetted, 2 subnets
D 172.16.1.0 [90/2809856] via 13.1.1.1, 00:00:24, Serial1/0
D 172.16.2.0 [90/2809856] via 13.1.1.1, 00:00:24, Serial1/0
12.0.0.0/24 is subnetted, 1 subnets
D 12.1.1.0 [90/2681856] via 13.1.1.1, 00:01:17, Serial1/0
为满足需求,在R1上可以做以下的配置:
R1#sh run | b r e
distribute-list 1 out Serial1/1
!
access-list 1 deny 172.16.1.0 0.0.0.0
access-list 1 permit any
再次查看R3的路由表:
R3#sh ip ro ei
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2809856] via 13.1.1.1, 00:00:39, Serial1/0
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.2.0 [90/2809856] via 13.1.1.1, 00:00:39, Serial1/0
12.0.0.0/24 is subnetted, 1 subnets
D 12.1.1.0 [90/2681856] via 13.1.1.1, 00:00:39, Serial1/0
看下各台路由器的配置:
R2的配置:
R2#sh run | b r e
router eigrp 100
network 2.2.2.2 0.0.0.0
network 12.1.1.2 0.0.0.0
network 172.16.0.0
no auto-summary
R1的配置:
R1#sh run | b r e
router eigrp 100
network 12.1.1.1 0.0.0.0
network 13.1.1.1 0.0.0.0
distribute-list 1 out Serial1/1
no auto-summary
!
ip classless
no ip http server
!
!
access-list 1 deny 172.16.1.0 0.0.0.0
access-list 1 permit any
R3的配置:
R3#sh run | b r e
router eigrp 100
network 3.3.3.3 0.0.0.0
network 13.1.1.3 0.0.0.0
no auto-summary
案例2:协议间重分布时过滤
R2(S1/1)------(S1/0)R1(S1/1)------(s1/0)R3
以上拓扑中,在R2上起用两个环回口,一个是172.16.1.1,一个是192.168.2.1,要使R3上不可以收到172.16.1.0的路由。其中R2和R1的S1/0运行EIGRP,R1的S1/1和R3运行OSPF
全网运行正在时,R3的路由表:
R3#sh ip ro os
2.0.0.0/24 is subnetted, 1 subnets
O E2 2.2.2.0 [110/20] via 13.1.1.1, 00:01:44, Serial1/0
172.16.0.0/24 is subnetted, 1 subnets
O E2 172.16.1.0 [110/20] via 13.1.1.1, 00:01:44, Serial1/0
12.0.0.0/24 is subnetted, 1 subnets
O E2 12.1.1.0 [110/20] via 13.1.1.1, 00:01:44, Serial1/0
O E2 192.168.2.0/24 [110/20] via 13.1.1.1, 00:00:13, Serial1/0
为满足需求,在R1上做以下配置:
R1#sh run | b r o
distribute-list 1 out eigrp 100
!
access-list 1 deny 172.16.1.0
access-list 1 permit any
现在再来看一看R3的路由表:
R3#sh ip ro os
2.0.0.0/24 is subnetted, 1 subnets
O E2 2.2.2.0 [110/20] via 13.1.1.1, 00:01:28, Serial1/0
12.0.0.0/24 is subnetted, 1 subnets
O E2 12.1.1.0 [110/20] via 13.1.1.1, 00:01:28, Serial1/0
O E2 192.168.2.0/24 [110/20] via 13.1.1.1, 00:01:28, Serial1/0
各台路由器的配置:
R2的配置:
R2#sh run | b r e
router eigrp 100
network 2.2.2.2 0.0.0.0
network 12.1.1.2 0.0.0.0
network 172.16.0.0
network 192.168.2.0
no auto-summary
R1的配置:
R1#sh run | b r e
router eigrp 100
redistribute ospf 100 metric 10000 100 1 255 1500
network 12.1.1.1 0.0.0.0
no auto-summary
!
router ospf 100
router-id 1.1.1.1
log-adjacency-changes
no auto-cost
redistribute eigrp 100 metric 20 subnets
network 13.1.1.1 0.0.0.0 area 0
distribute-list 1 out eigrp 100
!
ip classless
no ip http server
!
!
access-list 1 deny 172.16.1.0 ----------------用网段
access-list 1 permit any
R3的配置:
R3#sh run | b r o
router ospf 100
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 13.1.1.3 0.0.0.0 area 0
用此方法可以解决重分发的单点汇总回馈的现象:
此时,我们在R3上起用两个环回口;在R1的S1/0接口做EIGRP的汇总,此时,看一看R2的R3的路由表:
R1#sh run int s1/0
Building configuration...
Current configuration : 146 bytes
!
interface Serial1/0
ip address 12.1.1.1 255.255.255.0
ip summary-address eigrp 100 222.222.0.0 255.255.248.0 5
serial restart-delay 0
R2#sh ip ro ei
3.0.0.0/32 is subnetted, 1 subnets
D EX 3.3.3.3 [170/2195456] via 12.1.1.1, 00:00:07, Serial1/1
13.0.0.0/24 is subnetted, 1 subnets
D EX 13.1.1.0 [170/2195456] via 12.1.1.1, 00:00:07, Serial1/1
D 222.222.0.0/21 [90/2195456] via 12.1.1.1, 00:00:07, Serial1/1
R3#sh ip ro os
2.0.0.0/24 is subnetted, 1 subnets
O E2 2.2.2.0 [110/20] via 13.1.1.1, 00:00:31, Serial1/0
12.0.0.0/24 is subnetted, 1 subnets
O E2 12.1.1.0 [110/20] via 13.1.1.1, 00:07:20, Serial1/0
O E2 192.168.2.0/24 [110/20] via 13.1.1.1, 00:00:31, Serial1/0
O E2 222.222.0.0/21 [110/20] via 13.1.1.1, 00:00:42, Serial1/0
我们在R1上做distribute-list表:
R1#sh run | b r o
distribute-list 2 out eigrp 100
!
access-list 2 deny 222.222.0.0 0.0.7.255
access-list 2 permit any
此时,再看R3的路由表:
R3#sh ip ro os
2.0.0.0/24 is subnetted, 1 subnets
O E2 2.2.2.0 [110/20] via 13.1.1.1, 00:03:28, Serial1/0
172.16.0.0/24 is subnetted, 1 subnets
O E2 172.16.1.0 [110/20] via 13.1.1.1, 00:00:36, Serial1/0
12.0.0.0/24 is subnetted, 1 subnets
O E2 12.1.1.0 [110/20] via 13.1.1.1, 00:10:18, Serial1/0
O E2 192.168.2.0/24 [110/20] via 13.1.1.1, 00:03:28, Serial1/0
注意:当在重分布时进行过滤,仅允许使用关键字out,后面可以跟上协议名,但不能跟接口,因为无意义,详见卷一(注意:in后面不能跟协议,只有out后能跟)
案例3:在OSPF中使用分布列表:(没啥意义)
R2(S1/1)------(S1/0)R1(S1/1)------(s1/0)R3
以上拓扑中,在R2上起用两个环回口,一个是172.16.1.1,一个是192.168.2.1,要使R3上不可以收到172.16.0.0的路由
在没有配置distrubte-list时,看一看R1和R3的路由表:
R1#sh ip ro os
222.222.2.0/32 is subnetted, 1 subnets
O 222.222.2.1 [110/1563] via 13.1.1.3, 00:00:09, Serial1/1
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/1563] via 12.1.1.2, 00:00:09, Serial1/0
222.222.1.0/32 is subnetted, 1 subnets
O 222.222.1.1 [110/1563] via 13.1.1.3, 00:00:09, Serial1/1
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/1563] via 13.1.1.3, 00:00:09, Serial1/1
172.16.0.0/32 is subnetted, 1 subnets
O 172.16.1.1 [110/1563] via 12.1.1.2, 00:00:09, Serial1/0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/1563] via 12.1.1.2, 00:00:09, Serial1/0
R3#sh ip ro os
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/1627] via 13.1.1.1, 00:00:42, Serial1/0
172.16.0.0/32 is subnetted, 1 subnets
O 172.16.1.1 [110/1627] via 13.1.1.1, 00:00:42, Serial1/0
12.0.0.0/24 is subnetted, 1 subnets
O 12.1.1.0 [110/1626] via 13.1.1.1, 00:00:42, Serial1/0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/1627] via 13.1.1.1, 00:00:42, Serial1/0
此时,在R1上做配置:
R1#sh run | b r o
distribute-list 1 in Serial1/0
!
access-list 1 deny 172.16.0.0
再次查看R1和R2的路由表:
R1#sh ip ro os
222.222.2.0/32 is subnetted, 1 subnets
O 222.222.2.1 [110/1563] via 13.1.1.3, 00:00:34, Serial1/1
222.222.1.0/32 is subnetted, 1 subnets
O 222.222.1.1 [110/1563] via 13.1.1.3, 00:00:34, Serial1/1
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/1563] via 13.1.1.3, 00:00:34, Serial1/1
R3#sh ip ro os
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/1627] via 13.1.1.1, 00:00:02, Serial1/0
172.16.0.0/32 is subnetted, 1 subnets
O 172.16.1.1 [110/1627] via 13.1.1.1, 00:00:02, Serial1/0
12.0.0.0/24 is subnetted, 1 subnets
O 12.1.1.0 [110/1626] via 13.1.1.1, 00:00:02, Serial1/0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/1627] via 13.1.1.1, 00:00:02, Serial1/0
总结:实际上并不能对LSA进行过滤,只能对自已的路由条目进行过滤。只对本地起作用,不影响向外传递的路由,可以通过命令area 1 range 172.16.1.0 255.255.0.0 not-adv和perfix表来进行区域之间的过滤.当在链路链路状态协议下配置命令distribute时,关键字out不能与接口联合使用,因为不像距离矢量协议,链路状态协议不从自身的路由表中通告路由,没有更新信息被过滤。
案例4:多个重新分配点
R2(f1/0)------(f1/0)R3
(s0/0) (s0/0)
| |
| |
(s0/0) (s0/0)
R1 R4
(f2/0) (f1/0)
| |
| |
(f1/0) |
R5(f0/0)---------------|
其中R1和R4是一个分界点,其上部运行RIP,下部运行OSPF
当全网配置好时,先看一看R1的路由表:
R1#sh ip ro
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/65] via 192.168.3.2, 00:01:16, Serial0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/66] via 192.168.3.2, 00:01:16, Serial0/0
4.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 4.4.4.4/32 [110/130] via 192.168.3.2, 00:01:16, Serial0/0
R 4.4.4.0/24 [120/3] via 192.168.2.1, 00:00:01, FastEthernet2/0
5.0.0.0/24 is subnetted, 1 subnets
R 5.5.5.0 [120/1] via 192.168.2.1, 00:00:01, FastEthernet2/0
O 192.168.4.0/24 [110/65] via 192.168.3.2, 00:01:16, Serial0/0
O 192.168.5.0/24 [110/129] via 192.168.3.2, 00:01:16, Serial0/0
O E2 192.168.6.0/24 [110/100] via 192.168.3.2, 00:01:17, Serial0/0
R 192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:03, FastEthernet2/0
C 192.168.2.0/24 is directly connected, FastEthernet2/0
C 192.168.3.0/24 is directly connected, Serial0/0
此时,你会发现到达192.168.6.0网段的路由没有走R5,而是走了R2,这并不是一个最好的路由,解决这个问题的办法是在生新分配点使用分发列表来控制路由源点,在R1和R4上做配置:
R1#sh run | b r o
router ospf 1
distribute-list 1 in //仅仅允许接受OSPF域内的地址
!
router rip
distribute-list 2 in //仅仅允许接受RIP域内的网络
!
access-list 1 permit 192.168.4.0
access-list 1 permit 192.168.5.0
access-list 2 permit 192.168.1.0
access-list 2 permit 192.168.6.0
R4#sh run | b r o
router ospf 1
distribute-list 1 in
!
router rip
distribute-list 2 in
!
access-list 1 permit 192.168.3.0
access-list 1 permit 192.168.4.0
access-list 2 permit 192.168.1.0
access-list 2 permit 192.168.2.0
配置过滤后,再来看一看R1的路由表:
R1#sh ip ro
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
O 192.168.4.0/24 [110/65] via 192.168.3.2, 00:07:20, Serial0/0
O 192.168.5.0/24 [110/129] via 192.168.3.2, 00:07:20, Serial0/0
R 192.168.6.0/24 [120/1] via 192.168.2.1, 00:00:17, FastEthernet2/0
R 192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:17, FastEthernet2/0
C 192.168.2.0/24 is directly connected, FastEthernet2/0
C 192.168.3.0/24 is directly connected, Serial0/0
使用这种方法消除了多个重新分配点内在的冗余,但是当R1的以太网链路发生故障后,RIP网络变得不可达,路由过滤器可阻止OSPF向路由表中输入替代的路由:
R1#sh ip ro
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
O 192.168.4.0/24 [110/65] via 192.168.3.2, 00:11:04, Serial0/0
O 192.168.5.0/24 [110/129] via 192.168.3.2, 00:11:04, Serial0/0
C 192.168.3.0/24 is directly connected, Serial0/0
此时,对于IPv4,一种更好的方法是使用distance来设置首选路由:
R1#sh run | b r o
router ospf 1
distance 130
distance 110 0.0.0.0 255.255.255.255 1
!
router rip
distance 130
distance 120 192.168.2.1 0.0.0.0 2
R4#sh run | b r o
router ospf 1
distance 130
distance 110 0.0.0.0 255.255.255.255 1 //地址和反掩码
!
router rip
distance 130
distance 120 192.168.6.1 0.0.0.0 2
第一个Distance命令设置了OSPF和RIP的管理距离为130,第二个Distance命令根据被指定的通告路由器和ACL来设定一个不同的管理距离,这时,在OSPF中,通告路由器的地址不必是下一跳路由器的接口地址,而是产生LSA的路由器ID,其中路由就是根据LSA进行计算的.当网络正常时,看下R4的路由表:
R4#sh ip ro
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback0
O 192.168.4.0/24 [110/65] via 192.168.5.2, 00:10:03, Serial0/0
C 192.168.5.0/24 is directly connected, Serial0/0
C 192.168.6.0/24 is directly connected, FastEthernet1/0
R 192.168.1.0/24 [120/1] via 192.168.6.1, 00:00:21, FastEthernet1/0
R 192.168.2.0/24 [120/1] via 192.168.6.1, 00:00:21, FastEthernet1/0
O 192.168.3.0/24 [110/129] via 192.168.5.2, 00:10:03, Serial0/0
当R4的f1/0接口发生故障后,R4的路由表变为:
R4#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback0
O 192.168.4.0/24 [110/65] via 192.168.5.2, 00:30:54, Serial0/0
C 192.168.5.0/24 is directly connected, Serial0/0
R 192.168.1.0/24 is possibly down, routing via 192.168.6.1, FastEthernet1/0
R 192.168.2.0/24 is possibly down, routing via 192.168.6.1, FastEthernet1/0
O 192.168.3.0/24 [110/129] via 192.168.5.2, 00:30:54, Serial0/0
R4#sh ip ro
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback0
O 192.168.4.0/24 [110/65] via 192.168.5.2, 00:10:03, Serial0/0
C 192.168.5.0/24 is directly connected, Serial0/0
C 192.168.6.0/24 is directly connected, FastEthernet1/0
O E2 192.168.1.0/24 [120/1] via 192.168.5.2, 00:00:21, FastEthernet1/0
O E2 192.168.2.0/24 [120/1] via 192.168.5.2, 00:00:21, FastEthernet1/0
O 192.168.3.0/24 [110/129] via 192.168.5.2, 00:10:03, Serial0/0
案例5:使用管理距离设置路由器优先级
拓扑和上面的一样,这里,要把R4作为到OSPF域的主路由器,仅当R4不可达时才选择R1,策略实施前,R5通过在R4和R1之间执行等价的负载均衡:
R5#sh ip ro
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/2] via 192.168.2.2, 00:00:21, FastEthernet1/0
4.0.0.0/24 is subnetted, 1 subnets
R 4.4.4.0 [120/2] via 192.168.6.2, 00:00:17, FastEthernet0/0
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback0
R 192.168.4.0/24 [120/2] via 192.168.6.2, 00:00:17, FastEthernet0/0
[120/2] via 192.168.2.2, 00:00:21, FastEthernet1/0
R 192.168.5.0/24 [120/2] via 192.168.6.2, 00:00:17, FastEthernet0/0
[120/2] via 192.168.2.2, 00:00:21, FastEthernet1/0
C 192.168.6.0/24 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, Loopback1
C 192.168.2.0/24 is directly connected, FastEthernet1/0
R 192.168.3.0/24 [120/2] via 192.168.6.2, 00:00:18, FastEthernet0/0
[120/2] via 192.168.2.2, 00:00:22, FastEthernet1/0
在R5上进行配置以后,看R5的路由表:
R5#sh run | b r r
router rip
version 2
network 5.0.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.6.0
distance 100 192.168.6.2 0.0.0.0
no auto-summary
R5# sh ip ro
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/2] via 192.168.2.2, 00:00:08, FastEthernet1/0
4.0.0.0/24 is subnetted, 1 subnets
R 4.4.4.0 [100/2] via 192.168.6.2, 00:00:14, FastEthernet0/0
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback0
R 192.168.4.0/24 [100/2] via 192.168.6.2, 00:00:14, FastEthernet0/0
R 192.168.5.0/24 [100/2] via 192.168.6.2, 00:00:14, FastEthernet0/0
C 192.168.6.0/24 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, Loopback1
C 192.168.2.0/24 is directly connected, FastEthernet1/0
R 192.168.3.0/24 [100/2] via 192.168.6.2, 00:00:14, FastEthernet0
当R5的F0/0链路断了,再次查看R5的路由表:
R5(config)#int f0/0
R5(config-if)#sh
*Mar 1 01:50:52: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar 1 01:50:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R5#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/2] via 192.168.2.2, 00:00:02, FastEthernet1/0
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback0
R 192.168.4.0/24 [120/2] via 192.168.2.2, 00:00:02, FastEthernet1/0
R 192.168.5.0/24 [120/2] via 192.168.2.2, 00:00:02, FastEthernet1/0
C 192.168.1.0/24 is directly connected, Loopback1
C 192.168.2.0/24 is directly connected, FastEthernet1/0
R 192.168.3.0/24 [120/2] via 192.168.2.2, 00:00:02, FastEthernet1/0
